On 12/23/-58 20:59, Eric wrote: > in this case, pf logging looks like this: > > # > tcpdump -etttti pflog0 > # > tcpdump: WARNING: pflog0: no IPv4 address assigned > # > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > # > listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size > 68 bytes > # > 2007-03-19 08:19:35.242979 rule 1/0(match): block in on ng0: > access.savagedata.net > 68.249.177.115: [|icmp] > # > 2007-03-19 08:19:36.252372 rule 1/0(match): block in on ng0: > access.savagedata.net > 68.249.177.115: [|icmp] > # > 2007-03-19 08:19:37.262760 rule 1/0(match): block in on ng0: > access.savagedata.net > 68.249.177.115: [|icmp] > > > Why is the first host producing more detailed logs? why isnt pf showing > the port that was blocked or anything else like it does in the first > host? Is there a way to make the ng0 interface log more or is this due > to the netgraph hooks into pf?
ICMP packets do NOT have any port numbers. The example you've shown had 3 ICMP packets being blocked. On the other side, I'm always using `tcpdump -nettttvvi ...' (the -vv parameters gives more output but might annoy you for SMB / netbios traffic). HTH, Volker _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"
